[Pkg-salt-team] Bug#983632: Backport to buster
Damien Norris
damien at cantrusthosting.coop
Fri Apr 9 20:58:52 BST 2021
Hello pkg-salt-team list members,
On 2021-03-09, Elimar Riesebieter wrote:
>is there any chance to get an appropriate backport for buster?
>According to [1] buster is vulnerable.
[1] https://security-tracker.debian.org/tracker/source-package/salt
I have been working on a backport of the 2018.3.5 version of these
patches, as released alongside the 3002 and 2016 versions by upstream on
Feb 25th: "Active SaltStack CVE Release"[2].
The following kludges were needed for my buster build:
[2]
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
I had several problems with the 2018.3.5 patches as they contain a
syntax error as well as break numerous tests with their code
refactoring. This prevents the Debian package build from completing
without some kludges to get past the test phase.
But.. I do now have the package building successfully now and it's
installed in some places and passed some initial testing in my buster
infrastructure! :-)
I also have some Debian 9 machines as well to figure out, and three is a
2016.11 series of patches provided, so I'm also planning to attempt a
similar backport for stretch next, i should have some results on that
this weekend.
Here is more detail on the kludges required, in case anyone else is also
working on this:
- add the two sets of 2018.3.5 patches to the debian/patches
- Fix the typo on line 2451 of the first of the patches [3] . The
statement "from" is mis-spelled "rom" which causes Syntax errors during
tests.
[3]
https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2021/01/28/2018.3.5.patch#L2451
- Force Skip most of the VMWare cloud tests
(tests/unit/utils/test_vmware.py), especially the SSL verification
tests, as they fail due to the fixes for CVE-2020-28972 and/or
CVE-2020-35662. Some of these tests could be salvaged as it's just the
SSL verification ones and then one or two others that fail.
- Force Skip the Portage Config tests
(tests/unit/modules/test_portage_config.py) which fail for some
currently unknown reason I'll investigate more.
- The SSHPasswordTest hangs during the build process, because of the fix
to CVE-2101-3148. That fix causes subcommands to be run as a command
array rather than as a constructed string. Unfortunately this creates
some kind of bug in the constructed sting to be evaluated (its purpose
is to determine python version numbers available). Instead, the whole
thing just hangs until you press Ctrl-D to continue the tests/build.
This will happen shortly after output:
[tests.support.unit
:404 ] >>>>> START >>>>>
unit.client.test_ssh.SSHPasswordTests.test_password_failure
and after the final line:
[salt.fileserver
:499 ][DEBUG ] Updating roots fileserver cache
is where you must press Ctrl-D to continue the process.
Other than those kludges the patches apply well and everything builds
cleanly. So far it seems to work but I am unable to test some of the
features that have been fixed, like the cloud facing VMware ones (and I
had to disable those tests).
I am not sure if anyone else has made progress with this ? I know that
donfede had some builds working as well. I am new to the package
maintainer stuff but am definitely willing to help get this all the way
done, but i will need some help as I'm a packaging noob.
I'm not really sure what to do next beyond get it so it builds without
the ^D step and to try and get as many tests working as I can.
I am curious as to what is the policy where a security patch from
upstream did not include the necessary fixes for tests and breaks them?
Those VMWare tests might need expert help to make work again,
upstream is not committing their CVE patches to their git branches and
the code changed drastically between major versions.. so little to go on
as to how to fix them.
Anyway, I will report back here once I have one that fully builds
without the ^D step, at that point it may be ready for further testing.
I'll also report back on my attempt to get these fixes to stretch.
D.
More information about the pkg-salt-team
mailing list